Key highlights – our comments on the cybersecurity probe into DiDi and the draft of the revised Measures on Cybersecurity Review

In early July, the Cyberspace Administration of China (CAC) announced that it had initiated cybersecurity review on three companies, namely DiDi, Boss Zhipin and Full Truck Alliance, and during the review the three companies are not permitted to register new users in order to “prevent spreading of risks”. In addition, the CAC also orders application stores to remove DiDi’s application due to “serious violations in collecting and using personal information”. Notably, all of the three companies were listed in the United States in June 2021.

There are very few details available to the public about the proposed cybersecurity review except for the fact that it has been initiated. The cybersecurity review is one of measures contemplated under the Cybersecurity Law (CSL) in order to ensure supply chain security of the critical information infrastructure (CII) through a review of the procurement of network product and services that may impact national security. One of the reasons why it had not been invoked till recently is that the scope of CII has not been identified. Although the CSL requires the State Council to publish regulations on the protection of CII, the CAC only released a draft regulation in July 2017. The guidance on identifying CII as contemplated in the draft regulation has never been published. Without knowing whether the information facilities are considered CII, it is almost impossible put the security review and all the other relevant CII protection measures into practice. The State Council seems to have been aware of this, and has included the regulation on CII protection in their legislative agenda for 2019, 2020 and 2021. We hope this regulation will finally be published this year.

In the absence of CII identification guidance, the first question here is how DiDi is identified as an operator of CII. Although it might meet the criteria set out in the general definition of CII under the CSL, we expect that at least a identification procedure should be followed to justify the decision, and it is unclear whether DiDi was aware of the fact that it was considered a CII operator before the decision for cybersecurity review was made.

Another question is which network product or service procured by DiDi has impacted national security. There is no indication in the announcement by the CAC, and it remains to be seen how the CAC will interpret and assess the procurement on national security.

There are also questions on the enforcement measures. The regulation on cybersecurity review does not empower CAC to take any enforcement measures alongside the initiation of the review. In terms of penalties, the CSL only permit the authority to order the CII Operator to cease using the relevant network products or services, and to impose a fine of up to 10 times of the purchase amount on the CII operator and a fine of up to RMB 100,000 on the persons responsible, if the CII operators use the unauthorised products or services. The CSL provision also allow the authorities to require network operators to take technical or other necessary measures to prevent contain harm in the event of a cybersecurity incident. In this case, DiDi has been ordered to stop registering new users, and the CAC may rely on such provision to take the measures, although the announcement does not mention that a cybersecurity has occurred.

Source:  Herbert Smith Freehills LLP news